This year 2019 most of the attack will come via SSL/TLS channel.
This is one of the process of user id and password harvesting from top corporation.
Each and every day this URL being changed. It is sharing simple spreadsheet macros to destination system.
Most of the firewall confused to detect it as malicious...
This is one of the biggest reasons why URL filtering is best accomplished by hiring a service to maintain the list, rather than trying to "roll your own".
My experience is saying that those URLs are confused Next gen firewall and proxy as well.
Latest URL filtering signature unable to detect it unless you made Manuel exception on vendor side.
Thinks are ephemeral....All renounce researcher are fail to identify this new variant...
Unless we have some sort of SSL inspection device in line.
If you were to report it to your firewall/proxy vendor and ask that they mark it malicious, it would benefit many more people than just adding it to your own private list.
Also, most filtering systems allow unknowns by default. Changing this to default-deny is painful, but will generally catch cr*p like this.
With in second hundred system were compromise..............till vendor categorized as malicious.....As quick fix deny that host ip at perimeter device ACL.... May be your Internet Router from were your entire external site being routed...